On-Prem WSUS Patch Management - What is the True Cost Burden?

What is Microsoft WSUS Patch Management?

Windows Server Update Services (WSUS) is a commonly used service add-on to Windows Server that automates Windows patching. WSUS was designed to alleviate the pain and difficulty of patching manually and to provide a central location within the organization’s network to stage and distribute patches and updates from.

WSUS seems like a simple patching option for Windows-only shops, however, it is both a complex and difficult to use tool. As organizations’ needs shift to a remote workforce or cloud- and BYOD-oriented infrastructures, Microsoft WSUS quickly becomes an insufficient solution. Maintaining a WSUS server in these situations can quickly balloon the hidden costs of WSUS while leaving IT admins in a crunch trying to extend an on-premise focused solution using VPNs as duct tape.

WSUS’ complexity shows when it comes time to manage and deploy the tool. WSUS requires a host of hidden costs including the hardware it is deployed on, Windows Server licenses, Microsoft CALs (a historically frustrating hidden cost), security software, and operational costs for IT admins. The costs can quickly spiral upward, pushing the TCO of WSUS above $120,000/yr in 2009 for an organization with 500 endpoints, according to Tolly

Microsoft WSUS - Hidden Costs

Cost Burden of WSUS - Hidden Costs

Hardware Costs

Hardware costs can include servers, storage space, network infrastructure, data backup, and hardware redundancy. Naturally, if you are using an on-premise solution like WSUS, you will bear the burden of deploying and maintaining the physical servers on which it will run. You can’t run a legacy software solution without good old iron to run it on! A typical deployment will require at least one server at each physical site to run the WSUS service locally to distribute patches.

Software Costs

The next money pit is software costs. Once you rack your pile of gear, it’s time to get your operating systems, databases, management, performance, reliability, VPNs, and security software deployed. Each of those components carries its own extra costs. Costs can quickly top $200 per endpoint over three years, even with ideal conditions. And don’t forget Microsoft CALs! Tack on a few grand of CALs just to access your “free” WSUS service. 

Operational Costs

Once you get your hardware and software squared away, it’s time to get busy actually putting it all together and running it. This comes with a host of new costs. Operational costs can quickly become the single largest line-item in the TCO for an on-premise WSUS solution. The previously mentioned Tolly report found that patching a strictly Windows-only environment took 252 hours of effort per year while adding third-party patching and non-Microsoft OS patching ballooned the effort to over 2,400 hours per year. That would amount to over $187,000 per year in operations costs alone according to the U.S. Bureau of Labor Statistics 2019 data, or roughly $374 per year per endpoint in operations costs alone! 

Breaking Free of WSUS with Cloud-Based Patch Management

Recognizing where your costs are spiraling out of control is the first step to fixing it! With the world stuck in a very sudden and strong shift towards remote workforces, it is time to consider changing your approach to patch management and cyber hygiene. Embracing a cloud-native solution will allow your organization to greatly reduce overall costs while improving your ability to patch hybrid infrastructure and remote devices. A cloud-native solution also carries greatly reduced costs for maintenance and support and keeps your patch management solution future-proofed.

Most organizations use a combination of cloud and on-premise servers and legacy patching solutions like WSUS are not able to adequately patch these devices and servers. WSUS requires additional configuration and workarounds like third-party tools layered on top of the WSUS server to patch complex infrastructure. Cloud-native solutions are built to patch hybrid networks with ease, and seamlessly work across varying server configurations.

In the past, remote employees may have utilized a VPN to access company data and programs, however, cloud-native SaaS programs mean that many devices have no need to connect via VPN. This creates a challenge for patching solutions that rely on on-premise servers, including the “free” WSUS server. Cloud-native patching solutions like Automox utilize an agent that can be remotely installed on every workstation. Once installed, the Automox agent maintains an encrypted session with their server which applies required patches when necessary, no matter where the endpoint is located.

Cloud-native patch management systems like Automox require no dedicated on-premise servers or maintenance by the end-user. On-premise solutions also require ongoing support from the vendor, while cloud-native Patching-as-a-Service solutions are built with ease of use in mind. These factors all contribute to the lower cost. 

How Automox Automated Patch Management Helps

Take the sass out of your patch management budget with a SaaS solution! 

Automox reduces your total cost of ownership with our cloud-native, easy-to-use patch management and endpoint hardening platform. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Learn more about our solution at automox.com. Or, feel free to sign up for a product demo.

Get Instant Updates on Vulnerabilities

Subscribe to receive Automox vulnerability alerts

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.

Take 15 days to raise your security confidence!
Start a Free Trial